AIX Remote Root Exploit

06/25/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in AIX's rsh, the curses library, Red Hat Linux's XFree86 packages, xinetd, MDBMS, BestCrypt, and cfingerd; format-string vulnerabilities in Kaspersky AntiVirus, eXtremail, and the Solaris at command; a symbolic-link race condition in KTVision; and problems in pmpost, AIX's diagrpt, and iptables.

A buffer overflow has been reported in the rsh command that is distributed with IBM's AIX version 4.2. This buffer overflow may be exploited to execute arbitrary code with the permission of the root user.

Users of AIX 4.2 should watch IBM for a patch and further information about this problem.

The curses library, a system library shipped with UnixWare and OpenServer that is used to manipulate a user's display without regard to the terminal type, has a buffer overflow that can be exploited by an attacker to obtain root access. This buffer overflow affects UnixWare 7 and OpenServer versions 5.0.6a and earlier. The actual exploit is performed through set user id root applications that are linked to the curses library, such as the atcronsh command in OpenServer and the rtpm command in UnixWare 7.

Caldera recommends that users of UnixWare remove the set user id bit from /usr/sbin/rtpm as soon as possible and that they replace the affected applications with a patched version. They also recommend that users of OpenServer remove the set user id bit from /usr/lib/sysadm/atcronsh and replace the application with a patched version as soon as possible.

Red Hat Linux has released updated XFree86 version 3.3.6 packages that apply many security and bug fixes and contain updated drivers for several different groups of cards. The security problems that are fixed in these packages include numerous buffer overflows, denial-of-service attacks, and temporary-file race condition problems.

Kaspersky AntiVirus is a commercial antiviral package for many platforms including Exchange, Notes, sendmail, QMail, and Postfix. Kaspersky AntiVirus has a format-string vulnerability in the utility that it uses to scan and disinfect mail as it is processed by sendmail. This format-string vulnerability may be used by an attacker to execute arbitrary code with the permissions of the user that sendmail is executing as (often the root user). The application also has a potential temporary-file race condition.

It is recommended that users disable syslog by setting usesyslog=no in the avkeeper.ini file and contact the vendor for an updated version.

xinetd has a buffer overflow that can be remotely exploited to obtain increased privileges and starts with its umask set to 0, causing any application xinetd starts to inherit this umask and possibly create world-writable files. The xinetd distributed with Immunix is reported to not be exploitable by the buffer overflow due to the StackGuard protections.

Users should upgrade their xinetd package as soon as possible and should examine their system for world-writable files.

BestCrypt provides an encrypted file system on a loop-back device. Versions of BestCrypt earlier than 0.8-2 have a buffer overflow in the bctool program that can be exploited to execute arbitrary code as root. This buffer overflow occurs during the unmounting of a file system.

Users of BestCrypt should upgrade to version 0.8-2 as soon as possible.

pmpost, a utility in the pcp suite from SGI, will improperly follow symlinks and, if installed, set user id root can be exploited to gain root privileges. This package is exploitable under IRIX and SuSE versions 7.1 and 7.2, but is not installed by default under SuSE.

SuSE recommends that users remove the set user id bits from the pmpost and pmkstat utilities. Users should watch their vendor for an update to the pcp package.

KTVision, a KDE frame-grabber card application, is vulnerable to a symbolic-link race-condition attack. On systems that have had KTVision installed set user id root, this attack can be used to overwrite any file on the system.

Users should remove the set user id bit from KTVision until a fixed version has been installed.